Storage accommodation for records should be clean, tidy, secure, prevent damage to the records and provide a safe working environment for staff.
For records in electronic format, maintenance in terms of back-up and planned migration to new platforms should be designed and scheduled to ensure continuing access to readable information.
All equipment used to store records should be safe, secure from unauthorised access and meet health and safety and fire regulations, but also allow maximum accessibility of the information commensurate with its frequency of use.
When paper records are no longer required for the conduct of current business, their placement in a designated secondary storage area may be a more economical and efficient way to store them.
There should be archiving policies and procedures in place for both paper and electronic records which should take account of the need to preserve important information and keep it confidential and secure.
A contingency or business continuity plan should be in place to provide protection for all types of records that are vital to the continued functioning of the Organisation.
Key expertise in relation to environmental hazards, assessment of risk, business continuity and other considerations is likely to rest with information security staff and their advice should be sought on these matters.
Digital continuity is the ability to use electronically created records for as long as they are needed.
In some cases this may mean having to manage electronic records which need to be permanently preserved.
Organisations who choose to install electronic record creation systems should take into account the need to manage the records created for the entirety of their lifecycles.
How organisations use, and maintain, records created within electronic systems will largely depend on the nature of the organisation and the information itself.
In some cases full functionality will be required for the records for the entirety of their lifecycles, whereas for others the ability to read the records may be enough.
Scanning of records
For reasons such as business efficiency or to address problems with storage space, organisations may consider the option of scanning into electronic format records which exist in paper format.
Where this is proposed, the factors to be taken into account include:
- the need to protect the evidential value of the record by copying and storing the record in accordance with British Standards, in particular the ‘Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically’ (BIP 0008)3
- the need to consult PRONI in advance with regard to records which may have archival value, as the value may include the format in which it was created
- the costs of the initial and then any later media conversion to the required standard, bearing in mind the length of the retention period for which the records are required to be kept
The decision on whether or not the original paper documentation can be destroyed once it has been scanned is a decision that each organisation as a Data Controller must make.
The Department can only refer you to the standards which should be achieved.
Compliance with the British Standard BIP 008 should be achieved.
To help assess the status of compliance with the requirements of BIP0008 a compliance workbook (BIP0009) is published, consisting of a series of questions each of which needs to be reviewed and answered.
It cannot be assumed that because an EDRMS system is in place, all the documents within the system are necessarily admissible as evidence before a court.
One of the key important steps is an audit of the system using the British Standard BIP 0009 workbook.
EDRMS's are very configurable, but it is extremely important that they are configured in a way that complies with the criteria in the standard.
The process for transfer of the hard copy originals to an electronic media requires a great deal of control, and must be process driven with little margin for human error.
Within the court setting, if there is a challenge to document authenticity it will be the system process documents which will be required as evidence alongside the document audit trail.
If a document is to be admissible in court, its authenticity must be provable.
Even if a document is admissible in evidence, the weight which a court may give to it is likely to be greater if best practice set out in the following paragraphs is followed.
Whilst compliance with BIP 0008 does not guarantee legal admissibility it enables organisations to demonstrate that they are following best practice.
The five principles of information management encapsulated in BIP0008 are:
1. Representation of information
An information management policy document should describe the different types of information held within the organisation and, for each type, specify:
- the level of security
- appropriate storage media
- formats and version control
- information management standards, e.g. quality
- retention and destruction policy
- responsibilities and roles for information management functions
- responsibilities for compliance with the BIP0008
2. Duty of care
Organisations need to have in place:
- an awareness of the legislative and regulatory bodies pertinent to its industry
- a chain of accountability and defined responsibility for activities involving electronic document records management at all levels
- a system to keep up to date with information management theory and practice
- a documented information security policy
3. Business procedures and processes
Organisations should have a user manual for each of its information management systems.
The manual is the document that the organisation will produce, if it's electronic storage methods are ever challenged, to prove to auditors, lawyers or judges that the processes are precise, secure and approved for its normal business procedures.
The user manual will typically define the following:
- document types
- preparation of documents prior to scanning
- batch control
- scanning processes
- scanning specific documents
- image processing
- compression techniques
- how information is indexed
- quality control
- procedures for producing authenticated output
- procedures for authenticating copies of documents
- how information is transmitted within the system
- procedures for document retention and destruction
- system maintenance schedules
- security and protection, including encryption and the use of digital certificates
- backup and system recovery procedures
- use of bureau services
- date/time stamping
- version control
BIP 0008 insists that the procedures and processes be audited annually, or more frequently for legally sensitive archives, to make sure that the approved procedures are being observed or that new ones meet the requirements and are formally and properly incorporated in the manual.
4. Enabling technologies
A typical system will be comprised of many different technologies, each of which need to comply with BIP0008.
These technologies include:
- storage media
- access control mechanisms
- system and data integrity
- image processing
- compression techniques
- compound documents
- data migration
- document deletion
5. Audit trails
BIP0008 requires that a system must have full auditing functionality.
Without detailed audit trails authenticating a document, and therefore satisfying a legal body, may not be possible.
The audit trail, as a minimum, should log details of each significant event in the life of a document in the system.
The audit trail should:
- be generated automatically by the system
- contain date/time stamps for each event
- be non-alterable
- be stored in accordance with the organisation’s information management policy
- be subject to appropriate access control
- be securely stored and backed-up
Microfilming of records
Microfilm records can be certified as providing legally admissible archival documents but specific standards for microfilming of records need to be met.
The National Preservation Office (allied to the British Library) has produced standards (Guide to Preservation Microfilming 2000) for preservation microfilming which are acceptable to archive institutions throughout the UK.